Resources
I love to learn about new things, so will update here with recommendations or suggestions of content that is helpful or what to avoid across a range of topics.
Courses
SANS 401 - Security Essentials
Great broad start into the industry. Bryan helped me get my broad basis of understanding of security technologies, threats, risk management, and more. Overall, if you’re starting out I think that 401 covers a lot of basics to give you a baseline you need to be a broad security professional initially. 5/5
SANS 504 - Hacker Tools, Techniques, Exploits, and Incident Handling
Mick was a great instructor when I did the course. 504 really helps you understand how to respond to traditional attack vectors and to slow down your IR techniques to be effective. I enjoy seeing how an attack is performed and then how to work to control it initially and if it occurs anyway, how to respond appropriately. Following the NIST guidelines was very helpful at creating a standard and repeatable method for incident response. 5/5
Paladin Risk Management - Introduction to Risk
Rod was quite a passionate instructor for risk management. The course content was good, but the issue I had was that it was not directly applicable at the time as I was working within an organisation that was mis-using technical risk quite badly. I would be happy to have a repeat course from Rod sometime to solidify concepts now that I am in a position to influence and push for strong risk management across an organisation, instead of locally at a technical level. 4/5
CISM Certification Training
Gary was a very knowledgeable trainer, and in regards to CISM training was always able to bring people back from technical depths to high-level risk management and stakeholder engagement. While the CISM exam itself is fairly easy, I felt that what I learned from Gary was suitable for me to sit the exam and pass comfortably, but having case studies and actual real-world experience was a lot more valuable than the content. 4/5
Certifications
University Degree
A university degree is a mixed bag. It gives you a baseline set of skills which you can choose based on where you want to go in the future, but for the cost you COULD do these online from Coursera or Udemy or even for free w/ MIT/Stanford free resources. The biggest benefit overall of a degree is that it simply opens up opportunities. Many companies will not consider candidates that do not have a university qualification. International work permits are also generally given to people who have higher education in a skill shortage domain (like IT).
Personally, I’d recommend young people take a gap year (or three) and focus on learning life-skills rather than heading to university. If you are older, you will have more discipline to study more effectively and understand how it helps you in the long run. You’ll also pick courses that are relevant for your career and be able to have your life experiences help you make better use of your time at university. When I did university, I went in straight from school, but it was only in my last year that I really gunned studying instead of playing games. I’ve since had to catch up a fair bit on topics I winged at university and wish I spent more time looking into those than ganking in league of legends. Just figure out what you want to do, University can be an expensive holiday for 3-4 years, or it could be a valuable beginning to a career.
GCIH
Quite focussed on technical security, especially scripting and modern network/web protocols as well as exploit vectors and NIST IR standards. I think that having the certification challenge was important and helped solidify the practical concepts for me. I would highly recommend this if you’ve done the partnering SANS 504 coursework as well.
CISM
I do not rate this certification. It is too easy to pass, does not have much you can learn from the course content itself (better to head to a pub with an infosec greybeard and chat for 4 hours about incidents). The exam content itself feels very dated. Technical questions mention technologies that MAY be in use with financial / government organisations as they tend to not update their enterprise stack often. BUT for any remotely modern organisation you’ll find the mention of protocols like SOAP, FTP, and SNMP to very common (even if today everybody uses REST and HTTPS). Security controls like IDS and Firewalls are commonly written about, but I have seen no content regarding application or cloud security. The exam is security program management focussed and enterprise focussed, and I appreciate that and recognise that. But the fact that a lot of the content still references old technology makes me feel that people are not working to keep the content relevant to a modern audience.
I cannot recommend CISM except as a resume HR Filter.
Podcasts
Risky Business
Good to get started in the industry, learn some lingo, and for a regular news update. The content is a little shallow unfortunately, and their format of 10 mins of reading news, 20 mins interview, 20 mins vendor broadcast is fun but not the most insightful. I think you’ll get a lot out of this show if you are new to the industry as it’ll help you learn about what’s going on, what some challenges are in this space, and what business opportunities exist that are trying to be solved. 3/5.
Prof G Show
While Scott may be initially grating for some users, he is very knowledgeable on brand positioning and can help you understand the financials behind how tech companies operate. His guests have varied backgrounds, generally leaning to academics or political, but overall entertaining and a good way to be aware of which companies are good from an investment perspective. My only concern is that his humour and talking style, while engaging and fun for me, I can see not being a hit for a lot of people so be prepared 4/5
Making Sense w/ Sam Harris
Sam generally covers deep-dive topics with experts in his field. Go into a few with an open mind, otherwise you’ll feel a bit annoyed at some episodes. I find some are hit and miss based on your personal interest in the topic. Good for setting yourself down and learning the intricacies of controversial, difficult to understand, or plain unconventional topics. 4/5
Nucleus Investment Insights
Nucleus Wealth is a company focussing on, oddly enough, wealth generation within Australia. Their podcast covers real estate investment, monetary theory, growth assets, superannuation, and other financial topics. Not a podcast for beginners without financial or economic literacy, and a bit of prep work / editing is needed (on account of having 4-5 people chatting each episode). But a great resource for understanding wealth within Australia. 3/5
Books
I have read a lot of books, here I’ll list what is good or bad and why